What is a bug bounty? The best definition I could find was from a Daniel Miessler post about security assessment types. He said: “a bug bounty is a type of technical security assessment that leverages crowdsourcing to find vulnerabilities in a system.”
The history of bug bounties is interesting too.
Here are some timeline highlights:
1995: Netscape introduces the first bug bounty program. It offered cash rewards for finding bugs in Netscape Navigator 2.0
2002-2005: Firms Idefense and TippingPoint started so-called middlemen programs. These programs collected vulnerabilities from researchers and connected them to vendors. These programs still exist today
2007: Pwn2Own launched, which is a contest and hunt for bugs during a limited period. It started with a reward of $10,000
2010-present: Google began a bug bounty program for web applications. Companies like Facebook, PayPal, and others, up until the present day, continue to launch programs. Also, during this time, companies like Synack, Bugcrowd and, Hackerone established what was called bug bounty marketplaces or crowdsourced vulnerability assessments.
What are bug bounty marketplaces?
Here is where the journey started.
Bugcrowd was picked as the program to participate in for my investigations. If you read its website, it is the largest crowdsourced cybersecurity program. You start the process by establishing an account, agreeing to some legal Terms of Service (TOS) and logging in. Once logged in, you create or document your profile. You then get to view a dashboard, programs and various portions of the program.
The most interesting items to view, when first logging in, are the leaderboard and hall of fame sections. Bugcrowd plays to the human/hacker condition of being recognized for what you have accomplished. Its leaderboard is very reminiscent of online game leader boards where you can view who is the best this month and all time. Participants earn points which are generated by bug reports or reported vulnerabilities.
Initial plans before signing up for any programs was, for me, to spend some time building a research or lab environment and get some bug hunting practice on vulnerable applications. About four months were spent building a lab and spending time testing vulnerable lab applications. Once comfortable with the bug hunting process, it was time to check out programs. In Bugcrowd, there are public facing programs and invite only private programs. Getting started in the public program process involves reviewing the program scope, goals, rules and ratings and rewards.
Bug hunting
Before doing any testing, it is essential to take another look at the ‘in scope’ targets. Testing against any targets outside of the scope or connected third parties would result in a violation of the TOS and possibly legal repercussions.
Once you have established what program you plan to participate in, it is time to get testing. Bugcrowd program participants (the companies that pay Bugcrowd to manage its program) vary and have representation across all verticals.
Submission
If you manage to find a bug or flaw in a target, it is time to submit the vulnerability for evaluation. Your submission should contain detailed information about how you discovered the vulnerability, its security impact, how to replicate it and a proof of concept. Don’t forget to include the ‘in scope’ target affected by the vulnerability.
After submitting the vulnerability, it will be evaluated and tested to make sure it is valid. Vulnerability submissions can be rejected, accepted or flagged as a duplicate during the process.
Reward
If the vulnerability submission is validated, there are two forms of rewards available in Bugcrowd’s program. Kudos points are used to measure the quality, impact, and volume of your submissions. Financial compensation is paid out for a validated vulnerability. Each bug bounty program has different monetary compensation guidelines and amounts for submissions. (We did not receive any rewards during the course of this research)
References
https://blog.cobalt.io/the-history-of-bug-bounty-programs-50def4dcaab3
https://danielmiessler.com/study/security-assessment-types/
https://researcherdocs.bugcrowd.com/
https://en.wikipedia.org/wiki/Bug_bounty_program
NTT Security is the specialized security company and the center of excellence in cybersecurity for NTT Group. With embedded security we enable NTT Group companies to deliver resilient business solutions for clients’ digital transformation needs. NTT Security has 10 SOCs, seven R&D centers, over 1,500 security experts. NTT Security is part of the NTT Group (Nippon Telegraph and Telephone Corporation), one of the largest ICT companies in the world.
